Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

View State

Status
Not open for further replies.
Zarcom

Zarcom

Programmer
Joined
May 7, 2002
Messages
1,275
Location
CA
I know this is a dumb question but I must know.
If you hide a textbox .visble = false is it always hidden even in the source. I can't find my hidden fields anywhere in the source so I am assuming they are hidden in the view state field. [ponder]
That'l do donkey, that'l do
[bravo]
 
Sort by date Sort by votes
*bump
why cause I am curious thats why That'l do donkey, that'l do
[bravo]
 
Upvote 0 Downvote
You could just load up a page, hide the text box, and debug on the value of:

ViewState.Item("theID")

If it's nothing, then it's not stored in viewState. If it's got some value, then it is.

:-)
paul
penny1.gif
penny1.gif
 
Upvote 0 Downvote
Oh I guess I didn't word that quite the way I wanted.

I am sure that it is being stored in the viewstate. I would like to know if a hidden text box will always be stored there. The thing is that I am using it in a change password form. The value of the hidden box is that of the old password. For security reasons I don't want someone to be able to "View Source" and find out the value of the old password.
Thanking you for help That'l do donkey, that'l do
[bravo]
 
Upvote 0 Downvote
Hey Zar,

It doesn't matter if they view source or not:
the values in the viewstate are hashed. So even if a user did view source, they'd just see a jumble of letters/numbers that mean nothing at face value.

So it'll still be secure.

Jack
 
Upvote 0 Downvote
So that hidden text box will never be viewable?
Sorry to be so persistent I want to make sure I am on the same page with this. That'l do donkey, that'l do
[bravo]
 
Upvote 0 Downvote
No prob.

I did a test page to test my theory:

I put 2 textboxes and a button on an aspx page. One text box I entered data and set its visible property to false in the designer.

The other textbox I left visible, but toggled the visible property with the command button at runtime. With both textboxes containing text and being visible = false, this is what the viewstate looked like:

"dDw2MDEyNDEyODU7dDw7bDxpPDE+Oz47bDx0PDtsPGk8MT47PjtsPHQ8cDxwPGw8VGV4dDtWaXNpYmxlOz47bDxoZXksIHdoYXRzIHVwPztvPGY+Oz4+Oz47Oz47Pj47Pj47PnjcOppJBUZZDl2j7b3oEdUDCt23"

Now, this will work with asp textboxes, but I'm not sure about the HTML hiden field controls.

hth

Jack
 
Upvote 0 Downvote
akay!
I just needed to be sure some Joe couldn't view the password data that was being held no matter what browser or client he is using.

Thanks for help all That'l do donkey, that'l do
[bravo]
 
Upvote 0 Downvote
From the docs under "Maintaing State in a Control"
"Note ViewState is generally used for persisting form data on a page across round trips. Do not use ViewState to store information such as passwords, connection strings, and file paths. For information about sharing data across pages or more persistent storage, see ASP.NET State Management."

Generate Forms/Controls Resizing/Tabbing Class
Compare Code (Text)
Generate Sort Class in VB or VBScript
 
Upvote 0 Downvote
Here Here to John's input. This topic was covered at the asp.net conference, and the problem is that although it is hashed, it's not encrypted, and the hash routine is pretty simple to unencode and read.

Although it may not be CIA stuff or anything, it's probably still not a good habit to get into.

I feel the impending session variable vs. postback data vs. performance discussion.

;-)
penny1.gif
penny1.gif
 
Upvote 0 Downvote
John/Paul:

I think thats a seperate issue though.

Zar's question was simply whether the value could be viewed by viewing the source, which it can't.

Now, the issue you bring up is how important security of that information is accross the internet. Obviously, if the data is of a nature that it must be secure, the page Zar is using for his "change password" functionality *should* be encrypted ( If it is, then viewstate is a totally viable means to store data that the user never needs to see, but that the developer doesn't want taking room as a session variable.

Of course, if I'm off and for some reason teh viewstate never gets encrypted even with encryption being set, let me know.

But now I think we should have a discussion on SessionVariable vs. Postback Data vs Performance....
;)

Jack
 
Upvote 0 Downvote
Upvote 0 Downvote
Zarcom,
You said,
"For security reasons I don't want someone to be able to "View Source" and find out the value of the old password.
Thanking you for help"

How secure? View state is by default NOT SECURE. It can be decoded by the receiver regardless of https because the receiver is on the decoded side of https. You must specifically request Tamper proofing AND encryption.

Its is base-64 encoded (not encrypted) to stay within a well defined ASCII range which will survive ASCII/UTF-8/UTF-16 and back etc transformations etc.

From MSDN January 2002 MSDN CD.

"Taking a Bite Out of ASP.NET ViewState"

Making ViewState More Secure
Because it's not formatted as clear text, folks sometimes assume that ViewState is encrypted—it's not. Instead, ViewState is merely base64-encoded to ensure that values are not altered during a roundtrip, regardless of the response/request encoding used by the application.

There are two levels of ViewState security you may wish to add to your application:

Tamper-Proofing
A hashcode will not secure the actual data within the ViewState field, but it will greatly reduce the likelihood of someone tampering with ViewState to try to spoof your application, that is, posting back values that your application would normally prevent a user from inputting.

You can instruct ASP.NET to append a hashcode to the ViewState field by setting the EnableViewStateMAC attribute:

<%@Page EnableViewStateMAC=true %>

EnableViewStateMAC can be set at the page or application level. Upon postback, ASP.NET will generate a hashcode for the ViewState data and compare it to the hashcode store in the posted value. If they don't match, the ViewState data will be discarded and the controls will revert to their original settings.

By default, ASP.NET generates the ViewState hashcode using the SHA1 algorithm. Alternatively, you can select the MD5 algorithm by setting <machineKey> in the machine.config file as follows:

&quot;
<machineKey validation=&quot;MD5&quot; />

Encryption
You can use encryption to protect the actual data values within the ViewState field. First, you must set EnableViewStatMAC=&quot;true&quot;, as above. Then, set the machineKey validation type to 3DES. This instructs ASP.NET to encrypt the ViewState value using the Triple DES symmetric encryption algorithm.

<machineKey validation=&quot;3DES&quot; />

Forms/Controls Resizing/Tabbing Control
Compare Code (Text)
Generate Sort Class in VB or VBScript
 
Upvote 0 Downvote
Thanks John I got that from the other posts as well, so I have implemented a different solution that is secure. That'l do donkey, that'l do
[bravo] Mark
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Makumbi256
  • Locked
  • Question Question
How to make days vertical and grid view editable using asp.net vb
Replies
0
Views
1K
Makumbi256
Makumbi256
Jo_Miracle
  • Locked
  • Question Question
Loading Dynamic XML Files In To A Tree View Web Server Control
Replies
1
Views
405
jbenson001
jbenson001
ahm1985
  • Locked
  • Question Question
Selected District not retrieved for employee in edit view get
Replies
0
Views
222
ahm1985
ahm1985
koklimabc
  • Locked
  • Question Question
space change into dot (or bullet) under designer view
Replies
1
Views
343
koklimabc
koklimabc
Adonetok
  • Locked
  • Question Question
View pdf file without adobe reader
Replies
3
Views
339
jbenson001
jbenson001

Part and Inventory Search

Sponsor

Back
Top